Re: openssl U.S. export rules
On Fri, 4 Mar 2005, Henderson, Thomas R wrote: > Has anyone received sound legal advice about the rules for U.S. citizens > for distributing openssl as part of a software bundle? Specifically, > I'd like to make a LiveCD that includes openssl libraries. Will I run > afoul of the U.S. export laws in doing so? Does it make any difference > if the the openssl library is in the base Linux distribution already? You probably want to look at the US regulations regarding the TSU exemption (Technology and Software -- unrestricted)(section 740.13 of the regulations). See the notification requirements at "http://www.bxa.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html"; and the regulations from December 9, 2004 linked on that site. Note that the exemption for source code also applies to corresponding object code. You will have to get your own legal advice if you have questions not answered by the regulations. Doug P.S. That isn't a typo; it really is "Nofify". -- Doug Kaufman Internet: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_CTX_load_verify_locations
So the way to do it would be to load the data into the cert store manually and not use the SSL_CTX_load_verify_locations function? Thanks -Original Message- From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] Sent: Friday, March 04, 2005 2:32 PM To: openssl-dev@openssl.org Subject: Re: SSL_CTX_load_verify_locations On Fri, Mar 04, 2005, Darya Mazandarany wrote: > Hi all, > > > > I was just wondering if there has been any discussion about introducing > a way to load certificates for validation using a memory buffer. The > company I am currently working for would like to have this and have > asked me to implement it. I have looked at the code and would be willing > to do it as long as it is not already in the works and there is no > compelling reason not to. > > Err that's already possible either via a memory BIO of d2i_X509(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1019] renegotiation failure - bug report.
Hi, The re-negotiation fails when the client and data can send data asynchronously. I am sure you might already know this. The following are posted in user group. http://www.mail-archive.com/openssl-users@openssl.org/msg38868.html http://www.mail-archive.com/openssl-users@openssl.org/msg38878.html Are there any plans to fix this in up coming releases? Thank you. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_load_verify_locations
On Fri, Mar 04, 2005, Darya Mazandarany wrote: > Hi all, > > > > I was just wondering if there has been any discussion about introducing > a way to load certificates for validation using a memory buffer. The > company I am currently working for would like to have this and have > asked me to implement it. I have looked at the code and would be willing > to do it as long as it is not already in the works and there is no > compelling reason not to. > > Err that's already possible either via a memory BIO of d2i_X509(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl U.S. export rules
> > The BXA doesn't care how you get the encryption done, whether an > > application has its own routines or calls a library, if the end > > result is > > cryptography, it's cryptographic software. > > Yes it does. There are special exemptions for open source. > > /r$ This is a total non-sequiter. I discussed the exemption for open source. This paragraph was addressessing the distinction between programs that implement cryptographic algorithms themselves and programs that get their cryptographic algorithms from libraries (which may not be distributed with that program). The BXA does not make a distinction. Essentially, any program that uses (or could be made to use) OpenSSL would be subject to precisely the same BXA rules as if it contained those same cryptographic algorithms itself. The OP specifically asked if it made any difference whether he shipped OpenSSL or if it was included in the base Linux distribution itself. And the answer is, no, it makes no difference. The software he wants to distribute is cryptographic software if it performs (or can perform, would be expected to perform, contains hooks intended to facilitate, etcetera) cryptographic functions, whether or not under the hood it uses libraries that are already there to implement the actual algorithms. DS __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl U.S. export rules
Thanks for your advice and the BXA pointer. I understand and appreciate your avoidance of making any explicit recommendation or endorsement of following a particular course of action. I would like to suggest the following text for your FAQ, under Legal section: 3. What are the United States export rules on redistributing OpenSSL-based software? "Note that the OpenSSL project and developers do not provide certified legal advice. The project recommends that you familiarize yourself with the following website (http://www.bxa.doc.gov) and consult an attorney." __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl U.S. export rules
> Hi, apologies if this has already been covered, but I did not find it > specifically in the faq or by googling. You really need to read the actual BXA regulations and, if you plan to rely on the advice, hire an attorney. > Has anyone received sound legal advice about the rules for U.S. citizens > for distributing openssl as part of a software bundle? You would have to secure export permission either for the entire bundle or for each cryptographic package individually. If they are all open source, this is not difficult. There is a license exemption. > Specifically, > I'd like to make a LiveCD that includes openssl libraries. Will I run > afoul of the U.S. export laws in doing so? There is no way to say based on just the information you gave. My answer would be: I hope you follow the law and don't. > Does it make any difference > if the the openssl library is in the base Linux distribution already? It does for OpenSSL, but I presume OpenSSL is being distributed along with other things that are going to use it. Those other things are cryptographic software (or cyptographic-enabled software) as well. The BXA doesn't care how you get the encryption done, whether an application has its own routines or calls a library, if the end result is cryptography, it's cryptographic software. DS __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl U.S. export rules
Hi, apologies if this has already been covered, but I did not find it specifically in the faq or by googling. Has anyone received sound legal advice about the rules for U.S. citizens for distributing openssl as part of a software bundle? Specifically, I'd like to make a LiveCD that includes openssl libraries. Will I run afoul of the U.S. export laws in doing so? Does it make any difference if the the openssl library is in the base Linux distribution already? Thanks, Tom __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_CTX_load_verify_locations
Hi all, I was just wondering if there has been any discussion about introducing a way to load certificates for validation using a memory buffer. The company I am currently working for would like to have this and have asked me to implement it. I have looked at the code and would be willing to do it as long as it is not already in the works and there is no compelling reason not to. Thanks in Advance, Darya Mazandarany
OpenSsl and DTLS
Hello Group, Does OpenSsl has plans to support DTLS ? Is there any good open source prototype implementation? Regards, Prashant kumar. Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web
[openssl.org #1018] unbuffered stdin problem?
Hi, The command openssl rsa -passin stdin -noout -modulus < passkey gives error unable to load Private Key 1860:error:0906D06C:PEM routines:PEM_read_bio:no start line:./pem/pem_lib.c:637:Expecting: ANY PRIVATE KEY I suspect the error has to do with http://cvs.openssl.org/chngview?cn=4024 (this is for cert but equally valid for keys) setvbuf man page says that the input could be discarded if the stream is "Active". Commenting that line of code does solve this problem. This applies to all recent versions of openssl. One potential solution is to do the setvbuf before reading the passphrase. I don't know of one single place to put this change except maybe openssl.c. Do you see any problem with this solution? Is there a better solution? Thanks Kapil __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]